IMO if numbers on Socket.dev can be trusted, then impact seems rather small (luckily). It also makes sense — I know some packages from the affected list, they're heavily outdated and their upstreams aren't maintained anymore.

Other than this — I don't know how many there are affected people in total, but AUR team probably has an exact number. I am also sure, they're doing their best to handle it accordingly to the impact.